b"FEDERAL ELECTION COMMISSION\n\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n        FINAL REPORT\n\nINSPECTION OF THE COMMISSION\xe2\x80\x99S\n  WEB SITE PRIVACY PRACTICES\n\n\n\n\n             MAY 2001\n\n         ASSIGNMENT 01-02\n\n\x0c                                                TABLE OF CONTENTS\n\n\n\n\n\nDESCRIPTION                                                                                                               PAGE\n\nBackground..........................................................................................................................1\n\n\nObjectives, Scope, and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6............\xe2\x80\xa6\xe2\x80\xa6..........\xe2\x80\xa6\xe2\x80\xa6..............................\xe2\x80\xa63\n\n\nInspection Results\xe2\x80\xa6\xe2\x80\xa6.......................................................................................\xe2\x80\xa6.............4\n\n\nConclusions\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.9\n\n\nAppendix I: FEC Web Site Home Page\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..10\n\n\nAppendix II: FEC Web Site Privacy Statement\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6.\xe2\x80\xa6.11\n\n\nAppendix III: FEC Conference Registration Web Form..............................................\xe2\x80\xa6..12\n\n\x0c                                               Background\n\nThe Office of Inspector General (OIG) conducted this inspection as a result of Federal legislation\nenacted in December 2000. This legislation required each Federal Inspector General to\ndetermine whether the agency or any third parties, including other governmental agencies, are\nobtaining personal information relating to any individual\xe2\x80\x99s access of an agency\xe2\x80\x99s Internet sites.\nDialogue between Congressional staff and the OIG community was held in January 2000 which\nresulted in an agreed upon deadline of May 2001 for the completion of the Inspectors General\nreviews. The legislation, titled the Treasury and General Government Appropriations Act of\n2001, section 646, contained the following language:\n\n\n       \xe2\x80\x9cSEC. 646. Not later than 60 days after the date of enactment of this Act, the Inspector General of\n\n       each department or agency shall submit to Congress a report that discloses any activity of the\n\n       applicable department or agency relating to\xc2\xad\n\n       (1) the collection or review of singular data, or the creation of aggregate lists that include personally\n\n       identifiable information, about individuals who access any Internet site of the department or agency;\n\n       and\n\n       (2) entering into agreements with third parties, including other government agencies, to collect,\n\n       review, or obtain aggregate lists or singular data containing personally identifiable information\n\n       relating to any individual's access or viewing habits for governmental and nongovernmental Internet\n\n       sites.\xe2\x80\x9d\n\n\n\n\n\nThe Internet, i.e. World Wide Web (Web), enables the Federal government to convey information\nto the public on a wide variety of issues in a quick and effective manner. The Federal Election\nCommission\xe2\x80\x99s (FEC) Web site provides the public with access to information on the mission of\nthe Commission, such as the FEC\xe2\x80\x99s enforcement of the Federal Election Campaign Act (FECA)\nand the disclosure of campaign finance information. The Web site includes Web forms enabling\nusers to provide information to the FEC. A Web form permits political committees required to\nfile electronically with the FEC the capability to download electronic filing software. Another Web\nform enables interested parties the option to register on-line for FEC sponsored conferences\nheld to discuss various topics related to the FECA. Several e-mail addresses for FEC\nemployees are also available on the Web site to allow the public to communicate with the\nCommission.\n\nTo instill confidence in the technology and encourage the use of Federal Web sites, appropriate\nprivacy policies and practices must be in place to ensure that users\xe2\x80\x99 right to privacy is protected.\n\x0cAn appropriate Internet privacy policy helps ensure that individuals have notice and choice about,\nand thus confidence in, how their personal information is handled when they use the Internet.1\n\nThe Federal Election Commission (FEC), established in 1975, is an independent regulatory\nagency that enforces and administers the Federal Election Campaign Act (FECA). Enforcement\nof FECA includes the following: facilitating public disclosure of finance activity; providing\ninformation and policy guidance to the public and elected officials; encouraging voluntary\ncompliance with the disclosure and other requirements of the Act; and enforcing the statute\nthrough audits, investigations, and civil litigation. In addition, the Commission manages the\npublic funding programs for Presidential campaigns and conventions. The FEC is located in\nWashington, D.C., and has approximately 338 permanent and temporary employees.\n\nThe FEC Data Systems Development Division (DSDD) is responsible for providing computer\nsupport for the Commission. DSDD\xe2\x80\x99s responsibilities are divided into two main areas: (1) the\nCommission\xe2\x80\x99s disclosure of campaign finance information and (2) the internal computer support\nfor Commission staff. DSDD, with the assistance of contractors, is generally responsible for\nthe installation, maintenance, training, and on-going technical assistance for the Commission\xe2\x80\x99s\ncomputer system and the agency\xe2\x80\x99s Web sites.\n\nThe FEC contracts with two companies to provide Internet, or Web, related services. One\ncontractor provides Web services, including computer hardware, software and communications\nsupport for the FEC\xe2\x80\x99s Web connection and primary Web site (http://www.fec.gov) (Appendix I).\n A second contractor supports the FEC\xe2\x80\x99s electronic filing and disclosure system, which enables\npolitical committees to electronically submit reports to the FEC. In addition, the contractor\nsupports Web computer servers, which allows the public to electronically access disclosure\nreports filed by U.S. House of Representatives and Senate campaigns, Presidential campaigns,\nparty committees, and political action committees. The disclosure reports are accessible either\nfrom the www.fec.gov Web site or directly at the Web servers maintained by the contractor for\nthe FEC (http://herndon1.sdrdc.com/), (http://herndon2.sdrdc.com/).\n\n\n\n\n1\n Office of Management and Budget (OMB), Memorandum 99-18, Privacy Policies on Federal Web Sites,\nJune 2, 1999, page 1.\n\n\n                                                 2\n\n\x0c                            Objectives, Scope, and Methodology\n\n\nThe objective of the Inspection was to evaluate the Commission\xe2\x80\x99s Web site privacy practices. \n\nSpecific objectives included the following:\n\n(1) Determine whether the Commission utilizes Internet cookies or Web bugs, technologies\n\n    used to monitor, and/or collect personal information about Web users; and whether\n    applicable Federal guidelines are followed; and\n(2) Evaluate the Commission\xe2\x80\x99s Web site privacy policy in accordance with Federal guidelines.\n\nThe OIG reviewed the following documentation in order to obtain background information and\ncriteria to evaluate the Commission\xe2\x80\x99s Web site privacy practices:\n\xe2\x80\xa2 Treasury and General Government Appropriations Act, 2001, section 646.\n\xe2\x80\xa2 \t U.S. Office of Management and Budget (OMB), M-00-13, Privacy Policies and Data\n     Collection on Federal Web Sites, June 22, 2000.\n\xe2\x80\xa2 OMB, M-99-18, Privacy Policies on Federal Web Sites, June 2, 1999.\n\xe2\x80\xa2 \t U.S. General Accounting Office (GAO), Internet Privacy: Federal Agency Use of Cookies,\n     (GAO-01-147R), October 20, 2000.\n\xe2\x80\xa2 \t GAO, Internet Privacy: Agencies\xe2\x80\x99 Efforts to Implement OMB\xe2\x80\x99s Privacy Policy, (GAO/GGD-\n     00-191) September 5, 2000.\n\xe2\x80\xa2 \t GAO, Internet Privacy: Comparison of Federal Agency Practices with FTC\xe2\x80\x99s Fair Information\n     Principles, September 11, 2000.\n\xe2\x80\xa2 \t U.S. Department of Energy, Computer Incident Advisory Capability (CIAC), Information\n     Bulletin I-034: Internet Cookies, March 12, 1998.\n\xe2\x80\xa2 \t FAQ: Web Bugs, Privacy Foundation, URL:\n     http://www.privacyfoundation.org/education/webbug.html, (March 20, 2001).\n\nThe OIG communicated with several FEC divisions to conduct the Inspection. The OIG\n\ninterviewed the following FEC staff in order to complete the inspection:\n\n(1) Webmaster;\n\n(2) Data Systems Development Division (DSDD) Director;\n\n(3) Freedom of Information Act (FOIA) Officer and Assistant Press Officer; and\n\n(4) Office of General Counsel\xe2\x80\x99s Legal Review and Administrative Law staff. \n\n\nThe OIG also obtained technical and contract information from the two contractors that provide\n\nWeb related services to the Commission. \n\n\nThe OIG used specialized computer software to determine whether the Commission\xe2\x80\x99s Web site\n\nuses Internet cookies or Web bugs. The OIG tested the entire www.fec.gov Web site for the use\n\nof cookies. Testing of the FEC\xe2\x80\x99s other Web servers used for campaign finance disclosure was\n\nperformed on a limited basis. Testing for Web bugs was also conducted on the www.fec.gov\n\n\n\n\n                                               3\n\n\x0cWeb site on a limited basis. The OIG relied on OMB guidance to evaluate the Commission\xe2\x80\x99s\nWeb site privacy policy and general Web privacy practices, including the use of Internet cookies\nand Web bugs.\n\nThe OIG inspection was conducted in accordance with the President\xe2\x80\x99s Council on Integrity and\nEfficiency\xe2\x80\x99s Quality Standards for Inspections.\n\n\n\n                                      Inspection Results\n\n\nCookie and Web Bug Review\nThe OIG\xe2\x80\x99s Inspection included a review to determine whether the FEC\xe2\x80\x99s Web site utilizes\nInternet cookies or Web bugs. The FEC\xe2\x80\x99s Web site privacy policy specifically states the FEC\ndoes not enable cookies on the agency Web site (Appendix II).\n\nAn Internet cookie is a computer file containing a short string of text that may be sent from a\nWeb server (i.e. Web site) to a Web browser (the user\xe2\x80\x99s personal computer hard drive) when\nthe user accesses a particular Web site. Cookies allow Web sites to recognize returning users,\ncustomize user settings on a Web site, and can collect information about a Web user. For\nexample, a retailer on the Web may use cookies to keep track of items selected by a Web user\nto be purchased on-line.\n\nThere are two forms of Internet cookies: persistent cookies and session cookies. Persistent\ncookies track information over time, and across different Web sites, and remain stored on a\nuser\xe2\x80\x99s computer hard drive until the specified expiration date. Session cookies are used only\nduring a single Web browser session, and do not raise privacy concerns according to the OMB.\n\nWeb bugs are similar to Internet cookies, and are capable of monitoring who is viewing a Web\npage or e-mail message. Web bugs are very small graphic images on a Web page, or in an e-\nmail message and are often invisible due to their size. Web bugs are used by some Web sites\nto track Web usage for advertising purposes, and to provide an independent accounting of how\nmany users visited a particular Web site.\n\nThe OMB issued on June 22, 2000, memorandum 00-13, and a follow-up memorandum on\nSeptember 5, 2000, addressed to the Chief Information Officers. Both touched on privacy\npolicies and data collection on Federal Web sites.\n\n\n\n\n                                               4\n\n\x0cThe OMB guidance stated Federal Web sites should not use persistent cookies unless four\n\nconditions are met:\n\n(1) The site gives clear and conspicuous notice;\n\n(2) There is a compelling need to gather the data on the site;\n\n(3) Appropriate and publicly disclosed privacy safeguards exist for handling any information\n\n    derived from the cookies; and\n(4) The agency head gives personal approval for the use.\n\nIn addition, OMB memorandum 99-18, Privacy Policies on Federal Web Sites, provides\nguidance to Federal agencies on appropriate disclosure in Web site privacy policies for both\nsession and persistent cookies.\n\nTo determine whether the FEC utilizes cookies or Web bugs, the OIG used specialized\ncomputer software programs designed to detect the presence of cookies or Web bugs on a\nWeb site. The OIG also received assurance from the Webmaster that the FEC does not utilize\ncookies or Web bugs on the FEC Web sites. In addition, the OIG contacted the two contractors\nwho maintain Web servers for the FEC, and received written assurance that the contractors\nwould not modify the FEC Web site to enable cookies or Web bugs, or disclose information to\nthird parties, unless specifically authorized by the FEC.\n\nResults\nThe OIG found no evidence that Internet cookies or Web bugs are used on the FEC Web sites,\nwhich is consistent with the FEC\xe2\x80\x99s privacy policy.\n\nDuring the Inspection testing, the OIG found on the FEC Web site (www.fec.gov) several links to\nnon-FEC Web sites. The FEC Web site provides links to other non-FEC Web sites containing\ninformation that is related to the FEC mission. For example, the FEC Web site provides links to\nseveral state government Web sites, and to a software company that provides software\nnecessary to view certain files available on the FEC Web site. However, privacy policies of non-\nFEC Web sites may differ from the FEC, as we found during our testing. A by-product of our\ntesting of the FEC Web site revealed several of the non-FEC Web sites utilized both persistent\nand session cookies.\n\nThe FEC\xe2\x80\x99s practice of linking to other Web sites, some of which utilize cookies, is not a violation\nof any known Federal policy or regulation and does not violate the FEC\xe2\x80\x99s privacy policy.\nHowever, it is possible users of the FEC Web site may click with their computer mouse on non-\nFEC links without realizing the link is associated with another organization. This latter\norganization may use persistent cookies or Web bugs. Therefore, the OIG suggested that the\nFEC provide a notice to users that the FEC Web site contains links to non-FEC Web sites that\nmay have different Internet privacy policies than does the FEC, such as the use of cookies and\nWeb bugs.\n\n\n                                                 5\n\n\x0cThe OIG discussed the issue with management and received agreement that appropriate\nlanguage would be incorporated into the FEC Web site privacy policy.\n\n\n\nPrivacy Policy Review\nThe FEC Web site privacy policy was reviewed to determine (1) whether the policy is adequate\n\nbased on guidance provided by the Office of Management and Budget and (2) to ensure\n\nstatements included in the privacy policy are followed.\n\n\nOMB Guidance\n\nOn June 2, 1999, the OMB issued Memorandum 99-18, Privacy Policies on Federal Web Sites. \n\nThe memorandum directed agencies to post the following:\n\n(1) A privacy policy on the agency\xe2\x80\x99s principal Web site by September 1, 1999;\n\n(2) Privacy policies to any other known, major entry points to their Web sites by December 1,\n\n    1999, as well as any Web page where they collect substantial personal information from the\n    public;\n(3) Policies that clearly and concisely inform visitors to the Web sites what information the\n    agency collects about individuals, why the agency collects it, and how the agency will use it;\n    and\n(4) Policies that are clearly labeled and easily accessed when someone visits a Web site.\n\nPosting of Privacy Policy\nOMB memorandum 99-18 directed agencies to post privacy policies on major entry points to\ntheir Web sites; also on any Web page where agencies collect substantial personal information\nfrom the public. The FEC\xe2\x80\x99s major Web site entry point is www.fec.gov. The FEC Web site\ncontains a privacy policy as required by OMB. The FEC also has a separate Web presence that\nsupports the FEC\xe2\x80\x99s electronic filing and disclosure system enabling political committees to\nelectronically submit reports to the FEC. FEC.gov provides a link to the separate Web servers\nhosting the disclosure system, however, the Web servers can be reached independent of the\nFEC.gov Web site at http://herndon1.sdrdc.com/ and http://herndon2.sdrdc.com/.\n\nData was not readily available to the OIG to provide an indication of the number of users who\ndirectly visit the disclosure system without first accessing the www.fec.gov, the site containing\nthe FEC\xe2\x80\x99s privacy policy. Although a definitive determination could not be made as to whether\nthe disclosure system Web servers should be classified as major Web site entry points in\naccordance with OMB guidance, the OIG suggested, and management agreed to provide\nappropriate privacy notice on the disclosure system Web server(s).\n\nFEC.gov also provides a link to an FEC contractor\xe2\x80\x99s Web site where interested parties are able\nto register electronically for FEC sponsored conferences (Appendix III). Individuals may register\n\n\n                                                 6\n\n\x0con-line for FEC conferences by providing personal contact information, including name, address,\nphone number, etc. The contractor provides the FEC with support for conference planning,\nincluding the on-line registration Web form. OMB guidance directs agencies to post a privacy\npolicy on any Web page where substantial personal information is collected from the public. The\nOIG suggested management provide a link to the FEC privacy policy on the Web page where the\npersonal information is collected to register for the FEC conferences.\n\nManagement agreed to provide a link to the FEC\xe2\x80\x99s privacy policy on the Web page to ensure\nconference registrants are aware of the privacy policies.\n\nPrivacy Policy Language\nMemorandum M-99-18 also includes guidance to Federal agencies on issues to address in their\n\npolicies, such as the type of information that is automatically collected when a user visits the\n\nagency\xe2\x80\x99s Web site, and whether the agency utilizes \xe2\x80\x9ccookies.\xe2\x80\x9d The guidance is intended to be\n\neither model language to be used verbatim, or as a starting point for agencies to tailor to their\n\nown needs and requirements.\n\n\nThe FEC\xe2\x80\x99s Web site privacy statement was generally consistent with the suggested language\n\nprovided by OMB. However, the FEC privacy policy lacked information related to the receipt of\n\ninformation by the FEC through e-mails and Web forms. The OMB guidance suggests a\n\nstatement be included in privacy policies regarding how the information received will be used,\n\nand then handled by the agency once the purpose of the communication has been fulfilled.\n\n\nThe OIG suggested that the FEC state in the Web site privacy policy how information submitted\n\nthrough e-mail and Web based forms will be handled by the Commission. The OIG discussed\n\nthe issue with management, and received agreement that appropriate language would be\n\nincorporated into the FEC Web site privacy policy.\n\n\n\n\nActual Web Site Privacy Practices\n\nThe OIG also reviewed the FEC\xe2\x80\x99s Web site privacy policy to determine whether the statements\n\nwere followed in practice. Overall, the OIG found the FEC\xe2\x80\x99s actual Web site privacy practices\n\nare conducted in accordance with the stated privacy policy.\n\n\nPersonally Identifiable Information\nThe FEC Web site privacy policy states the following:\n              \xe2\x80\x9cWe do not give, sell or transfer any personal information to a third party.\xe2\x80\x9d\n\nThe FEC Web site allows visitors to communicate and voluntarily provide information to the\nFEC. The Web site includes several e-mail addresses of FEC employees, to include the\nWebmaster responsible for the Web site, and also e-mail addresses for each of the\n\n\n                                                 7\n\n\x0cCommissioners of the FEC. In addition, the OIG Web site contains two Web based forms. The\nWeb forms allow interested parties to register on-line for FEC sponsored conferences, and there\nis also a Web form for political committees required to file with the FEC the capability to\ndownload electronic filing software.\n\nAlthough we found no evidence the FEC has given, sold, or transferred personal information to\nthird parties, which would be inconsistent with Federal regulations or law, the OIG concluded the\nprivacy policy should be revised to take into consideration instances that would require the\nrelease of information obtained by the FEC through e-mail or the Web site. In limited cases,\nFederal law enforcement actions, and the Freedom of Information Act would compel the\ndisclosure of certain information.\n\nThe OIG suggested management revise the privacy statement to take into consideration\ninstances that would require the release of information obtained through e-mail or Web based\nforms.\n\nManagement agreed to revise the privacy statement to address the exceptions requiring\ndisclosure of information.\n\nWeb server logs\nIn the course of operating a Web server to host a Web site, it is customary for certain\ninformation about Web users to be automatically recorded, or logged. Web server logs generally\nrecord non-personal data regarding a user\xe2\x80\x99s visit to a Web site, such as the date and time the\nuser accessed a Web page. The data contained in the Web server logs can provide useful\ninformation on the extent to which the Web site is used by the public, and it is also a means to\ndetect and identify attempts by users to perform improper actions on the Web site.\n\nThe FEC privacy policy includes a list of items that are automatically logged by the FEC Web\nservers. The OIG contacted the two FEC contractors who maintain the Web servers to verify\nthat the information logged about visitors to the FEC Web sites is consistent with the FEC\nprivacy policy. The OIG found the FEC\xe2\x80\x99s statements materially accurate, with the exception of\ntwo items that are automatically logged by one of the FEC contractor\xe2\x80\x99s Web servers, and not\ndisclosed in the FEC privacy policy. One of the Web servers maintained by a contractor logs\nthe type of Web browser software used by the visitor to the Web site, and also the visitor\xe2\x80\x99s\nreferring Web page, which is the Web site the user linked from to arrive at the FEC Web site.\n\nThe OIG suggested management include the two additional types of information logged by the\nFEC Web server to the list already in the Web site privacy policy. Management agreed.\n\n\n\n\n                                                8\n\n\x0cConclusions\nThe OIG found the FEC to be materially in compliance with applicable Office of Management and\nBudget guidelines on Web site privacy. In addition, the OIG found the FEC to be adhering to their\nstated Web site privacy policy.\n\nThe OIG found no evidence as a result of the Inspection to indicate that the FEC has:\n   (1) \tEngaged in the inappropriate collection or review of singular data, or the creation of\n       aggregate lists that include personally identifiable information about individuals who\n       access any Internet site of the Commission; or\n   (2) \tInappropriately entered into agreements with third parties, including other government\n       agencies, to collect, review, or obtain aggregate lists or singular data containing\n       personally identifiable information relating to any individual's access, or viewing habits, of\n       the Commission\xe2\x80\x99s Internet sites.\n\nThe OIG identified and conveyed several issues related to the FEC\xe2\x80\x99s privacy policy that should\nbe improved and received agreement by management that all of the issues would be addressed\nin an appropriate manner.\n\n\n\n\n                                                  9\n\n\x0cAppendix I: FEC Web Site Home Page\n\n\n\n\n                                     10\n\n\x0cAppendix II: FEC Web Site Privacy Statement\n\n\n\n\n                                              11\n\n\x0cAppendix III: FEC Conference Registration Web Form\n\n\n\n\n                                           12\n\n\x0c"